Project

General

Profile

Actions

Bug #91993

closed

Official documentation and actual implementation of AuthenticationService is fatally mismatching

Added by S P over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2020-08-13
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The documentation states:

a value of 0 or a value of 100 or more indicates that the authentication has failed, but that further services should keep trying.

But the actual code treats 0 like totally failed, to NOT try further (it checks the return code for greater 0 not greater--or-equal 0):

foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {
    if (($ret = $serviceObj->authUser($tempuser)) > 0) {
        // If the service returns >=200 then no more checking is needed - useful for IP checking without password
        if ((int)$ret >= 200) {
            $authenticated = true;
            break;
        }
        if ((int)$ret >= 100) {
        } else {
            $authenticated = true;
        }
    } else {
        $authenticated = false;
        break;
    }
}

if ($authenticated) {
    // Leave foreach() because a user is authenticated
    break;
}

Luckily we did not trust the docs blindly in one of our projects but checked the core code first - else we had run in severe problems.

This must be fixed one way or the other.

IMHO, the docs should be correct. It must be possible to override a failed authentication by custom code. This is not possible if the service chain just ends hard.

Currently overriding failed core auth is only possible if an unknown hash algorithm is used.

Our use cas ist this:
  • If a user is not "blocked" (check in a custom auth service with priortity >50), then just run core auth, else fail hard (negative return).
  • if not blocked and core auth fails (wrong password given) we increase a failed login attempt counter and eventually block the user (custom auth service with priority <50)
  • when core auth succeeds we unblock the user in the custom auth with priotity <50

This is not possible currently.


Files

auth.png (6.73 KB) auth.png Sybille Peters, 2020-08-13 18:52
Actions

Also available in: Atom PDF